NoScript, a must have Firefox security extension
Date : July 30, 2008
It must be noted that vulnerabilities we face these days, are more and more targeting Internet users, their browsing habits and more specifically their daily working tools. The browser, whether it is Internet Explorer, Firefox, Opera or any others, is in the core of navigation on the Internet and thus becomes a prime target.
Often caught in its quest for information on the web, when searching on "google", the Internet user does not pay much attention to certain errors or incidents while browsing dynamic content pages. It is therefore no surprise that browsers and Internet technologies become more attractive to hackers.
Since a long time, we have recommended our community to be vigilant when surfing the Internet, to only browse trusted sites, to be cautious with certain URI, to check and validate certificates, to pay attention to any abnormal navigation. It is true that this is easier said than done, including for those in IT security, yet experienced to good navigation practices.
To help us in this task, and if there was a single extension of security to recommend for browsing "safely", without hesitation security experts would say "NoScript".
This article focuses on the security extension, which is unfortunately only available to Firefox users or browsers based on it (Flock, Seamonkey etc.). Many times recommended in the Cert community, and used since a long time by our security teams, the extension deserved an article.
Before continuing, and since not everyone is familiar with Firefox or even less with its extensions, a little reminder about what Firefox extensions are.
What is a Firefox extension?
The Firefox extensions allow users to add new features or to expand existing ones to their browser. Some appear as bars, buttons, context menu that the user may wish to operate as if they were embedded in the browser.
A Firefox extension appears in the form of an XPI (Cross Platform Installer) format archive containing several files which describe the code of the extension, the installation program, the language characteristics and the configuration of the extension.
What are they used for?
There are numerous categories. Let us not be exhaustive and cite those enabling to access RSS feeds, read PDF files, access dictionaries from the browser, block advertising sites or those used to give weather forecasts, make web development, or facilitate downloads (see https://addons.mozilla.org).
To summarize, these extensions are made to increase Firefox features.
What about NoScript?
NoScript is an "open source" security extension, which brings new protection features to the Firefox browser or to its derivatives. Globally, its goal is very simple. It is to allow the blocking of JavaScript code executed when visiting pages, to ensure a more secure navigation on pages using this language. In particular, it allows to block "popup" windows, automated script executions, redirections to other sites and many other JavaScript artefacts, if the user do not trust the visited site.
How does it work?
The main principle of NoScript is based on a "white list" model which states that "Anything not formally permitted is implicitly prohibited".
NoScript allows the user to maintain a database of sites he or she may trust. NoScript offers many parameters to refine restrictions and to ensure the blocking/unblocking of dynamic content pages.
Features
In early versions, NoScript aimed only at preventing "uncontrolled" uses of JavaScript. Over time developers have enriched this extension to also block dynamic content technologies such as Java, Flash, SilverLight, etc…
Regarding security, this type of restriction helps to avoid XSS (Cross-Site Scripting), XSRF (Cross-Site Request Forgery) and phishing attacks or those based on the use of malicious Flash files.
In practice, and without being exhaustive, Java applets, JAR, Flash or QuickTime objects, PDF documents or videos can not be downloaded or viewed automatically as the user has not given its confidence to do so, either temporarily or permanently.
NoScript offers many features:
- Restriction of access (locking / unlocking) pages
- temporarily
- permanently
- Authorization of JavaScript globally
This option must of course be prohibited, since it allows JavaScript for all sites and does not consider the "white list" anymore.
- Notification of blocked pages
- Anti-XSS protection
- Transformation of POST requests to GET requests
- Possibility of exclusion in certain cases
Restrictions
and Restriction validity
NoScript uses the term "plug-in" to describe the technologies it is able to block, i.e. JavaScript, Java, Flash, Silverlight, and so on.
In terms of restriction, NoScript allows to:
- Permit/Prohibit JavaScript
- Permit /Prohibit Java
- Permit/Prohibit Adobe Flash
- Permit /Prohibit other plugins that might be launched by JavaScript
- Prohibit "IFRAME"
- Block attacks XSS, XSRF, Phishing (Anti-XSS protection)
In terms of validity of restrictions, it is possible to:
- Temporarily permit sites to use the JavaScript and plug-ins during a session
- Permanently permit sites to use the JavaScript and plug-ins.
It can be noted that NoScript allows to exclude certain restrictions from the "white list" for specific visited sites.
Notification
During the blocking of a site, NoScript displays a banner to warn the user that he/she is potentially browsing a hazardous site. There are several levels of notification that the user can set, so that repeated requests for confirmation do not annoy the user to much.
Moreover, NoScript uses an icon representing an "S" in the status bar of the browser to specify whether the extension has blocked something on the currently visited page. These are the most important icons NoScript uses:
- An "S" icon: No restriction on the page. The site is trusted.
- A crossed out "S" icon: The site is not trusted, and potentially dangerous.
- A partially crossed out "S" icon: The site is partly trusted, i.e. that some of its links are not trusted.
WARNING
It is essential to consider that: NoScript will not prevent any XSS, XSRF or such attacks, if the user has trusted the site which is relaying it or if the user trusted the site hosting the malicious attack XSS code.
Conclusion
For some people NoScript is "a must have security extension" for Firefox. For others, it is "tedious" in practice, because some sites are not well displayed because of NoScript restrictions on dynamic content web pages. The first consider the security contribution of NoScript, the latter consider the induced constraints when having to validate (trust) visited sites. It is true that for some sites the browser may suddenly displays a blank or "sloppy" web page. However, NoScript notification warns the user that the page content is potentially dangerous for navigation.
Without going into more or less controversial debates on "white-listing versus black-listing" ("Anything that is not permitted is therefore prohibited" versus. "Anything that is not prohibited is therefore permitted"), NoScript is really an extension that deserves special attention for those involved in security. It is even surprising that it has not been directly embedded into the browser itself as it is so useful.
The Cert-IST encourages you to give it a try and may be to adopt it.
For more information:
Official Site: http://noscript.net
Extensions: https://addons.mozilla.org